[syslog-ng] Syslogs not writing to disk

Balazs Scheidler bazsi77 at gmail.com
Fri May 1 06:12:26 UTC 2020 

the host filter that you apply to the incoming traffic is matching against
the $HOST macro, ie. the text within the message. This can be an IP address
or a hostname depending on various settings.

Your messages don't contain a a hostname field, thus syslog-ng will try to
"guess" it, normally based on the sending IP address but then would also
potentially use DNS to resolve it to a name.

If you want to filter on IP address, I suggest the netmask() filter.

On Thu, Apr 30, 2020 at 7:34 PM Rose, Ed <Ed_Rose at mentor.com> wrote:

> The tcpdump looks good and there doesn’t appear to be any drops.  I should
> also mention that the syslog servers are behind a Netscaler load balancer
> doing round robin load balancing between two different syslog-ng servers
> that are setup exactly the same.  I have about 10 different sources send
> logs to these syslog servers and all of them are writing to disk except
> this particular source (cisco_asa).
>
>
>
> Thanks
>
> Ed
>
>
>
>
>
>
>
> 10:24:21.525178 IP (tos 0x0, ttl 254, id 3483, offset 0, flags [none],
> proto UDP (17), length 190)
>
>     x.x.x.x  > x.x.x.x: SYSLOG, length: 162
>
>         Facility local4 (20), Severity debug (7)
>
>         Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr
> x.x.x.x: Session Attribute endpoint.am["539"].description="Trend Micro
> OfficeScan Client"\0x0a
>
> 10:24:21.525179 IP (tos 0x0, ttl 254, id 15604, offset 0, flags [none],
> proto UDP (17), length 166)
>
>     x.x.x.x > x.x.x.x: SYSLOG, length: 138
>
>         Facility local4 (20), Severity debug (7)
>
>         Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr
> x.x.x.x: Session Attribute endpoint.am["539"].version="12.0.5400"\0x0a
>
> 10:24:21.525368 IP (tos 0x0, ttl 254, id 19622, offset 0, flags [none],
> proto UDP (17), length 193)
>
>     x.x.x.x > x.x.x.x: SYSLOG, length: 165
>
>         Facility local4 (20), Severity debug (7)
>
>         Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr
> x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Dell Inc.
> Latitude 5290 2-in-1"\0x0a
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
> Of *Balazs Scheidler
> *Sent:* Thursday, April 30, 2020 10:50 AM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Syslogs not writing to disk
>
>
>
> Tcpdump shows data that is later dropped by the packet filter, so make
> sure that iptables lets the packets through.
>
>
>
> Another potential culprit is selinux, check for violations in the kernel
> log.
>
>
>
>
>
> On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose at mentor.com> wrote:
>
> Hello All,
>
>
>
> I have syslog-ng setup currently setup to write to disk and forward events
> on to a different syslog server.  Syslog isn’t writing to disk it seems.  I
> do not see any errors either, unless I am not looking in the right place
> for the errors.  Tcpdump –v host x.x.x.x shows data coming in from the host
> but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.
>
>
>
> Thanks
>
> Ed
>
>
>
>
>
> syslog-ng 3 (3.14.1)
>
> Config version: 3.14
>
> Installer-Version: 3.14.1
>
> Revision:
>
> Module-Directory: /usr/lib64/syslog-ng
>
> Module-Path: /usr/lib64/syslog-ng
>
> Available-Modules:
> afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs
>
> Enable-Debug: off
>
> Enable-GProf: off
>
> Enable-Memtrace: off
>
> Enable-IPv6: on
>
> Enable-Spoof-Source: on
>
> Enable-TCP-Wrapper: on
>
> Enable-Linux-Caps: on
>
> Enable-Systemd: on
>
>
>
>
>
> filter f_awanra1 { host("x.x.x.x"); };
>
> filter f_bwanra1 { host("x.x.x.x"); };
>
> filter f_cwanra1 { host("x.x.x.x"); };
>
>
>
> destination d_ciscoasa {
> file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes)
> dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };
>
>
>
> destination d_uid1 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid2 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid3 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid4 { tcp("x.x.x.x"  port(514) ); };
>
>
>
> log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
> log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
> log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200501/074c452a/attachment.html>

More information about the syslog-ng mailing list